Value set: lift offset from numeric constants to expressions #8647
Conversation
tautschnig
force-pushed
the
value-set-offset
branch
from
9764fbe to
5d136c4
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #8647 +/- ##
===========================================
- Coverage 80.37% 80.37% -0.01%
===========================================
Files 1686 1686
Lines 206889 206894 +5
Branches 73 73
===========================================
- Hits 166289 166283 -6
- Misses 40600 40611 +11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
We can safely track arbitrary expressions as pointer offsets rather than limit ourselves to just constant offsets (and then treating all other expressions as "unknown").
tautschnig
force-pushed
the
value-set-offset
branch
from
5d136c4 to
41811ba
Compare
| // update value sets | ||
| exprt l1_rhs(rhs); | ||
| get_l1_name(l1_rhs); | ||
|
|
||
| const ssa_exprt l1_lhs = remove_level_2(lhs); | ||
| if(run_validation_checks) | ||
| { | ||
| DATA_INVARIANT(!check_renaming_l1(l1_lhs), "lhs renaming failed on l1"); | ||
| DATA_INVARIANT(!check_renaming_l1(l1_rhs), "rhs renaming failed on l1"); | ||
| } | ||
|
|
There was a problem hiding this comment.
Why is it safe to remove these checks ?
| @@ -981,7 +981,7 @@ normalize(const object_descriptor_exprt &expr, const namespacet &ns) | |||
| { | |||
| return expr; | |||
| } | |||
| if(expr.offset().id() == ID_unknown) | |||
| if(!expr.offset().is_constant()) | |||
There was a problem hiding this comment.
Can we get a high level description of what is the normal form we're trying to reach ?
| @@ -184,7 +183,7 @@ void value_sett::output(std::ostream &out, const std::string &indent) const | |||
| stream << "<" << format(o) << ", "; | |||
|
|
|||
| if(o_it->second) | |||
| stream << *o_it->second; | |||
| stream << format(*o_it->second); | |||
There was a problem hiding this comment.
now we have to print an expression instead of a mere integer
There was a problem hiding this comment.
I have one remaining question: Now that we have symbolic offsets for pointer expressions instead of just "constants" or "unknown", is there ay way to use that to compute more precise results in get_value_set_rec ? I know it lets us be more precise when modelling assignments, but I don't understand why we don't have a similar gain in precision when computing dereferences/traversing value_sets.
Other question: now that the value set representation "knows" that an expression array[i] has an offset of the form i * sizeof(T) could we try to take into account extra constraints about i during the value set traversal ? Let's say we're trying to resolve array[i] in the context of a basic loop invariant 0 <= i && i <= len(array), knowing range constraints about i we could maybe avoid injecting values representing OOB accesses in the value set for array[i] ?
We can safely track arbitrary expressions as pointer offsets rather than limit ourselves to just constant offsets (and then treating all other expressions as "unknown").